The difference b/t dropping and rejecting is that when you just deny the
packets, the sender will wait for a response until the timeout is reached.
With a reject, the sender knows immediately that you are rejecting his
connection attempt. I have seen this in one scenarion with internal and
external SMTP relays.
You have a translated address on the firewall that is directed at your
internal smtp gateway who is the MX 10 record for your domain. All mail
servers will try to send to this server as he is your mail exchanger. Now
you have an anti-spam or content filtering server in your DMZ or out on
the net as your MX 20 record. REJECT all connections to the MX 10 host
from all except your filtering server, so what happens is ALL mail gets
filtered through this filtering box. You are rejecting because you want
the other mail servers to know they are not allowed to connect and will
immediately send to the MX 20 who after ensuring all is well and safe,
then relays to your internal mail server.
Just one example, but a good one (thought I cannot take credit for it's
conception).
Carric Dooley CNE
COM2:Interactive Media
http://www.com2usa.com
"Talent does what it can; genius does what it must."
- Edward George Bulwer-Lytton
On Wed, 8 Sep 1999, Bennett Samowich wrote:
> This may be another newbie question, when "dis-allowing" certain packets
> is it better to deny or reject? Why the different actions?
>
> Thanks
> - Bennett
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
